CLAIMS 

WHAT IS CLAIMED IS: 

L A machinfe-executable method for executing a trusted command 
issued by a\ser, said method comprising the steps of: 

(a) parsing tnte trusted command in an untrusted computing 
environment to generate a parsed command; 

(b) submitting theVparsed command to a trusted computing 
environment; ant 



(c) executing the parse 
environment. 



land in the trusted computing 



2. A method including the steps of claim 1 and additionally including 
the steps, executed after step (b) of claim 1, of: 



(1) in the trusted environment, displaying a representation of 
the parsed command to the user;\ 
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(2) receiving a signal from the user signifying whether the 
disproved representation accurately represents the user's 
intentioi 

(3) if the signaNsignifies that the displayed representation does 
not accuratelArepresent the user's intentions, then 
preventing the performance of step (c) of claim 1. 



The method of claim 2 wherein the representation of the parsed 
command is displayed, and the^ignal from the user is received, 
through a trusted path. 



The method of claim 1 wherein the trusted computing 
environment comprises a security kernel 



The method of claim 1 wherein the untrusted computing 
environment comprises a general operating systez 
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6. A methodVor executing in a computing system a trusted command 
issued by a Mer, said method comprising the steps of: 

(a) receiving user identification data from the user via a 
trusted path} 

(b) receiving the touted command from the user via an 
untrusted path; 

(c) parsing the trusted command in an untrusted computing 



environment to genei 



parsed command; 



(d) submitting the parsed coiqmand to a trusted computing 
environment; 

(e) in the trusted computing environment, performing a security 
check on the parsed command and user identification data; 
and 

(f) in the trusted computing environment, executing the trusted 
command 
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7. The methbd of claim 6, wherein the security check enforces an 
Orange Boo^ security criterion. 



A method includingythe steps of claim 6 and additionally including 
the steps, executed af^er step (d) and before step (f) of claim 6, 
of: 

(1) in the truste<\environment, displaying a 

representation $FTE5 parsed command to the user; 



(2) receiving a signal from the user signifying whether 
the displayed representation accurately represents the 
trusted command; anc 

(3) if the signal signifies thaK the displayed 
representation does not accurately represent the 
trusted command, then preventing the performance 
of step (f) of claim 6. 
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A method including the steps of claim 6 and additionally including 
the steps, executed after step (d) and before step (f) of claim 6, 
of: 

(1) in the trusted environment, displaying a 
representation of the parsed command to a second 
user; 

(2) receiving a signal from the second user signifying 
whether the displayed representation accurately 
represents a legitimate command; and 

(3) if the signal signifieYrhat the displayed 
representation does not accurately represent a 
legitimate command, then preventing the 
performance of step (0 M claim 6. 



A method for ensuring the existence of a trusted path in a 
computing system comprising the steps of: 
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in a\ais 



(a) in a tkisted computing environment, upon login by a user, 
assigning a process identifier to the user in the trusted 
computing environment; 



(b) storing the assigned process identifier in trusted memory; 

(c) establishing a trusted path; 

(d) in the trusted patt\ displaying the process identifier to the 
user; and 

(e) upon a subsequent entry into the trusted path, displaying 
the process identifier tp\5wf user. 



The method of claim 10 wherein the\ process identifier is a 
randomly or pseudo-randomly generated group of alphanumeric 
characters. 



The method of claim 11 wherein the process\identifier is 
pronounceable. 
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An automatic data processing machine programmed to execute the 
method of ahy one of claims 1 to 12. 



An automatic data processing machine comprising means for 
performing the method steps of any one of claims 1 to 12. 



A program storage device readable by a machine and tangibly 
embodying a representation of a program of instructions adaptable 
to be executed by said machine to perfoirq the method of any 
one of claims 1 to 12. 
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Apparatus \pr executing a trusted command that is issued by a 
user and thakis parsed by untrusted parsing means to generate a 
parsed commamj, comprising: 

\ 

(a) trusted meaiA for receiving the parsed command; and 

(b) trusted means (ok executing the parsed command. 



Apparatus for controlling the execution by a machine of a trusted 
command that is issued by a us^rand that is parsed by untrusted 
parsing means to generate a pafse$/<£ommand, comprising: 



(a) trusted-program storage means\ readable by the machine, 
for causing the machine to receive the parsed command 
from the untrusted parsing means\ and 

(b) trusted-program storage means, readable by the machine, 
for causing the machine to execute the parsed command. 
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Apparatus for controlling the execution by a machine of a trusted 
command that is issued by a user with user identification data and 
that is parsed cw untrusted parsing means to generate a parsed 
command, comprising: 

(a) trusted progrW storage means, readable by the machine, 
for causing the\machine to receive the user identification 
data from the user; 

(b) trusted program storage means, readable by the machine, 
for causing the machjpe to receive the parsed command 
from the untrusted paiftiHg), means; 



(c) trusted program storage means, readable by the machine, 
for causing the machine toWrform a security check on the 
parsed command and a security check on the user 
identification data; and 



(d) trusted program storage means, Readable by the machine, 
for causing the machine to execute the trusted command. 
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1 19. Apparatus ak in claim 18 and additionally comprising: 

3 (1) trusted program storage means, readable by the machine, 

4 for causing the machine to display a representation of the 

5 parsed coipmand to the user; 

6 \ 

7 (2) trusted progrim storage means, readable by the machine, 

8 for causing the machine to receive a signal from the user 

9 signifying whetHer the displayed representation accurately 
1(J? represents the trusted command; and 

l{2 \ 

12h (3) trusted program storage means, readable by the machine, 

!Jfe3 for preventing the machine from executing the trusted 

lp command if the signal\sim^es that the parsed command 

life does not accurately represem the trusted command. 

4 \ 

17 20. Apparatus as in claim 18 and additionally comprising: 

18 \ 

19 (1) trusted program storage means\ readable by the machine, 

20 for causing the machine to dispmy a representation of the 

21 parsed command to a second userc 

22 \ 

23 (2) trusted program storage means, readable by the machine, 

24 for causing the machine to receive a signal from the second 
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user signifying whether the displayed representation 
accurately represents a legitimate command; and 



(3) 



trusted program std^ag^ pieans, readable by the machine, 
for preventing the kia^fiiAe from executing the trusted 
command if the signal signifies that the parsed command 
does not accurately represent a legitimate command. 
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